Every cyberattack begins with initial access: the moment an adversary establishes their first foothold within a target environment. The MITRE ATT&CK framework catalogues these entry techniques under the Initial Access tactic (TA0001), providing security teams with a structured understanding of how attackers breach organisational defences.
Understanding initial access techniques is foundational to building effective detection and prevention strategies. If you can detect and block attackers at the point of entry, the entire downstream kill chain, including persistence, lateral movement, and data exfiltration, never materialises.
This article examines the five most prevalent initial access techniques observed in real-world attacks, with practical detection and prevention strategies for each.
T1566: Phishing
Phishing remains the single most common initial access technique. MITRE breaks phishing into three sub-techniques: spearphishing attachments (T1566.001), spearphishing links (T1566.002), and spearphishing via service (T1566.003).
How It Works
Spearphishing attachments deliver malicious payloads directly to the victim's inbox. Common attachment types include Microsoft Office documents with embedded macros, PDF files with JavaScript, HTML attachments that render credential harvesting forms locally, and archive files (ZIP, RAR, ISO) containing executable payloads.
Spearphishing links direct victims to attacker-controlled infrastructure. These links may lead to credential harvesting pages that mimic legitimate login portals, drive-by download sites that exploit browser vulnerabilities, or OAuth consent phishing pages that trick users into granting application access to their accounts.
Spearphishing via service uses non-email channels, such as LinkedIn messages, Microsoft Teams chats, Slack messages, or SMS, to deliver phishing content. These channels often receive less security scrutiny than email, making them increasingly attractive to sophisticated threat actors.
Detection Strategies
- Monitor for Office applications spawning suspicious child processes (PowerShell, cmd.exe, mshta.exe, wscript.exe)
- Detect HTML files opened from email that make external network connections
- Track OAuth application consent events, particularly for applications requesting broad permissions such as mail.read or files.readwrite.all
- Alert on credential submission to newly registered domains or domains with low reputation scores
- Correlate email gateway logs with endpoint telemetry to identify cases where a user received a suspicious email and subsequently exhibited anomalous behaviour
Prevention Measures
- Deploy email security solutions with attachment sandboxing and URL rewriting
- Implement DMARC, SPF, and DKIM for inbound and outbound email
- Block macro execution in documents downloaded from the internet (Mark of the Web enforcement)
- Restrict OAuth application consent to administrator-approved applications
- Conduct regular phishing simulation exercises with targeted training for users who fail
T1190: Exploit Public-Facing Application
Exploiting vulnerabilities in internet-exposed applications provides attackers with direct access to internal networks without requiring any user interaction.
How It Works
Attackers systematically scan for vulnerable public-facing applications, including web servers, VPN gateways, email servers, firewalls, and API endpoints. When a vulnerability is identified, exploit code, often publicly available for high-profile CVEs, is used to achieve remote code execution or authentication bypass.
Recent high-profile examples include the exploitation of Citrix NetScaler (CVE-2023-4966, "Citrix Bleed"), MOVEit Transfer (CVE-2023-34362), and Ivanti Connect Secure VPN (CVE-2024-21887). These vulnerabilities enabled mass exploitation campaigns that affected thousands of organisations worldwide.
The time between vulnerability disclosure and active exploitation has compressed dramatically. Research indicates that the average time from CVE publication to first observed exploitation is now measured in days rather than weeks or months.
Detection Strategies
- Deploy web application firewalls (WAFs) with virtual patching capabilities for known CVEs
- Monitor public-facing application logs for exploitation signatures and anomalous request patterns
- Track process execution on servers hosting public-facing applications. Unexpected child processes indicate potential exploitation
- Implement network-level detection for post-exploitation behaviour such as reverse shells, tunnelling tools, or data staging
- Correlate vulnerability scan data with threat intelligence to prioritise monitoring of actively exploited vulnerabilities
Prevention Measures
- Maintain a complete inventory of all internet-exposed applications and services
- Implement a risk-based vulnerability management programme that prioritises patching based on exploitability and exposure
- Deploy network segmentation to limit the blast radius of a compromised public-facing application
- Use zero-trust network access (ZTNA) to replace traditional VPN where possible
- Conduct regular external attack surface assessments
T1133: External Remote Services
External remote services, such as VPNs, Remote Desktop Protocol (RDP), Citrix, and SSH, provide legitimate remote access but also offer attackers a pathway into corporate networks.
How It Works
Attackers gain access to external remote services through several methods: credential stuffing using breached credential databases, brute-force attacks against weak passwords, exploitation of vulnerabilities in the remote access platform itself, or using credentials obtained through other means (phishing, infostealers, initial access brokers).
Once authenticated to a VPN or RDP gateway, the attacker has a foothold inside the corporate network that appears to be a legitimate remote user session. This makes detection particularly challenging, as the access pattern closely resembles normal remote work.
The rise of initial access brokers, criminal actors who specialise in gaining and selling network access, has industrialised this technique. Credentials for corporate VPNs and RDP endpoints are routinely sold on underground forums for prices ranging from a few hundred to several thousand pounds, depending on the target organisation's size and perceived value.
Detection Strategies
- Monitor for authentication anomalies: impossible travel (logins from geographically distant locations within implausible timeframes), unusual hours, new devices, or unfamiliar operating systems
- Detect brute-force and credential stuffing attacks through authentication failure rate monitoring
- Track VPN and RDP session metadata for anomalous patterns: unusually long sessions, high data transfer volumes, or connections to internal resources not typical for the authenticated user
- Correlate remote access logs with endpoint telemetry to detect post-authentication lateral movement
- Monitor dark web and criminal forums for leaked credentials associated with your organisation's domains
Prevention Measures
- Enforce multi-factor authentication (MFA) on all external remote access services without exception
- Implement conditional access policies that evaluate device health, location, and risk score before granting access
- Restrict RDP exposure to the internet; use jump servers or ZTNA for remote administration
- Deploy account lockout policies that balance security with operational requirements
- Regularly audit remote access accounts and disable dormant credentials
T1078: Valid Accounts
The use of compromised valid credentials represents one of the most difficult initial access techniques to detect because the attacker's activity appears indistinguishable from legitimate user behaviour.
How It Works
Attackers obtain valid credentials through multiple channels: credential dumping from previous compromises, purchasing credentials from infostealers or initial access brokers, harvesting credentials through phishing campaigns, or extracting credentials from code repositories, configuration files, and other insecure storage locations.
Cloud account compromise has become particularly prevalent as organisations migrate workloads to cloud platforms. Attackers target Azure AD, AWS IAM, and Google Workspace credentials to gain access to cloud resources, email, and collaborative platforms.
Detection Strategies
- Implement user and entity behaviour analytics (UEBA) to detect anomalous usage patterns even when valid credentials are used
- Monitor for lateral movement patterns that follow initial authentication; a legitimate user typically accesses a consistent set of resources, whilst an attacker explores broadly
- Track authentication events across all identity providers (on-premises Active Directory, Azure AD, SAML/OIDC providers) in a unified view
- Detect service account abuse through behavioural baselining; service accounts should exhibit highly predictable behaviour patterns
- Monitor for credential access attempts (e.g., LSASS memory access, SAM database queries) that indicate the attacker is attempting to harvest additional credentials
Prevention Measures
- Deploy phishing-resistant MFA (FIDO2, certificate-based authentication) across all accounts
- Implement privileged access management (PAM) with just-in-time elevation for administrative accounts
- Conduct regular credential exposure assessments using breach monitoring services
- Enforce strong password policies and prohibit password reuse across services
T1195: Supply Chain Compromise
Supply chain attacks compromise a trusted vendor or software component to gain access to downstream targets: the organisations that use the compromised product.
How It Works
The most impactful supply chain attacks target widely used software products or managed service providers. The SolarWinds Sunburst attack (2020) compromised the SolarWinds Orion build process to inject malicious code into a legitimate software update that was distributed to approximately 18,000 organisations. The Kaseya VSA attack (2021) exploited vulnerabilities in the Kaseya managed service provider platform to deploy ransomware across hundreds of downstream organisations simultaneously.
Supply chain compromise is particularly dangerous because it abuses existing trust relationships. The compromised software update arrives through the legitimate update channel, is signed with the vendor's legitimate code-signing certificate, and executes within the context of a trusted application.
Detection Strategies
- Monitor for anomalous behaviour from trusted applications. Legitimate software that suddenly initiates outbound connections to unfamiliar infrastructure, executes unexpected child processes, or accesses sensitive data warrants investigation
- Implement software bill of materials (SBOM) analysis to understand dependencies and monitor for compromises in open-source components
- Deploy network detection for command-and-control patterns, even from trusted application processes
- Track software update timing and validate that updates are expected before allowing execution
- Baseline normal behaviour for managed service provider connections and alert on deviations
Prevention Measures
- Evaluate vendor security practices as part of procurement and ongoing vendor management
- Implement network segmentation to limit the impact of a compromised vendor connection
- Deploy application allowlisting to restrict execution to approved software
- Monitor third-party network connections and restrict access to only required resources
A Unified Detection Approach
The diversity of initial access techniques highlights a fundamental challenge: no single detection technology covers all entry vectors. Email security catches phishing but not VPN brute-force attacks. Vulnerability scanning identifies exposed applications but not compromised credentials. Network monitoring detects exploitation traffic but not cloud account abuse.
SenseOn addresses this challenge through unified telemetry collection across endpoint, network, cloud, and identity sources. The cross-domain correlation engine correlates signals across all these layers to detect initial access attempts regardless of the technique employed. Whether an attacker uses phishing, exploits a public-facing application, abuses stolen credentials, or compromises a supply chain vendor, SenseOn's cross-layer correlation identifies the resulting anomalous behaviour patterns.
For security teams building their detection capabilities around the MITRE ATT&CK framework, the ability to monitor all initial access vectors from a single platform is not a convenience; it is a necessity.
Related reading:
